Ransomware : Your Worst IT Nightmare
Ransomware  Recovery ConsultantsRansomware has become a modern cyberplague that represents an extinction-level threat for businesses vulnerable to an assault. Versions of ransomware like the Dharma, WannaCry, Bad Rabbit, Syskey and MongoLock cryptoworms have been replicating for a long time and continue to cause damage. The latest strains of ransomware such as Ryuk, Maze, Sodinokibi, DopplePaymer, Snatch or Egregor, plus frequent unnamed malware, not only encrypt on-line critical data but also infiltrate many configured system protection. Data synched to the cloud can also be corrupted. In a poorly architected environment, this can make automatic recovery hopeless and effectively sets the network back to zero.

Retrieving applications and information following a crypto-ransomware intrusion becomes a race against the clock as the targeted organization fights to stop lateral movement and remove the crypto-ransomware and to restore mission-critical activity. Since ransomware requires time to move laterally, attacks are often launched during nights and weekends, when successful attacks in many cases take longer to recognize. This multiplies the difficulty of quickly mobilizing and organizing a qualified response team.

Progent offers an assortment of solutions for protecting organizations from ransomware penetrations. These include team member education to help recognize and not fall victim to phishing attempts, ProSight Active Security Monitoring for remote monitoring and management, along with installation of next-generation security appliances with machine learning technology to intelligently detect and disable zero-day threats. Progent also provides the services of expert ransomware recovery engineers with the skills and perseverance to re-deploy a breached network as rapidly as possible.

Progent's Crypto-Ransomware Recovery Help
Following a ransomware penetration, even paying the ransom in cryptocurrency does not guarantee that cyber hackers will respond with the needed codes to unencrypt any of your data. Kaspersky estimated that 17% of crypto-ransomware victims never recovered their files after having sent off the ransom, resulting in increased losses. The gamble is also very costly. Ryuk ransoms frequently range from 15-40 BTC ($120,000 and $400,000). This is greatly higher than the average crypto-ransomware demands, which ZDNET estimates to be around $13,000. The alternative is to piece back together the key parts of your Information Technology environment. Absent access to complete system backups, this calls for a wide complement of skill sets, professional team management, and the capability to work 24x7 until the job is done.

For decades, Progent has provided expert IT services for businesses in Santa Monica and across the U.S. and has earned Microsoft's Gold Partnership certification status in the Datacenter and Cloud Productivity competencies. Progent's group of subject matter experts (SMEs) includes engineers who have earned top certifications in important technologies like Microsoft, Cisco, VMware, and popular distributions of Linux. Progent's security consultants have earned internationally-recognized certifications including CISA, CISSP-ISSAP, ISACA CRISC, and SANS GIAC. (Visit Progent's certifications). Progent in addition has experience in financial systems and ERP applications. This breadth of expertise provides Progent the skills to efficiently identify important systems and re-organize the surviving pieces of your computer network system following a ransomware attack and configure them into a functioning network.

Progent's ransomware group utilizes state-of-the-art project management tools to orchestrate the complex recovery process. Progent understands the importance of acting rapidly and in unison with a customerís management and IT resources to assign priority to tasks and to put essential services back on line as soon as humanly possible.

Business Case Study: A Successful Crypto-Ransomware Incident Recovery
A business escalated to Progent after their network was attacked by the Ryuk crypto-ransomware. Ryuk is generally considered to have been created by North Korean state criminal gangs, possibly adopting algorithms exposed from the U.S. NSA organization. Ryuk seeks specific companies with limited room for operational disruption and is among the most profitable examples of ransomware viruses. Major victims include Data Resolution, a California-based information warehousing and cloud computing firm, and the Chicago Tribune. Progent's client is a regional manufacturer based in Chicago and has about 500 employees. The Ryuk penetration had disabled all essential operations and manufacturing processes. Most of the client's backups had been online at the start of the attack and were destroyed. The client was taking steps for paying the ransom demand (more than two hundred thousand dollars) and praying for the best, but ultimately utilized Progent.


"I canít say enough about the support Progent provided us during the most fearful period of (our) companyís survival. We may have had to pay the cybercriminals except for the confidence the Progent team provided us. That you were able to get our e-mail and important applications back online faster than one week was earth shattering. Each consultant I interacted with or messaged at Progent was absolutely committed on getting our company operational and was working at all hours to bail us out."

Progent worked hand in hand the customer to rapidly understand and assign priority to the critical systems that needed to be recovered to make it possible to continue departmental functions:

  • Active Directory
  • Microsoft Exchange Server
  • Accounting/MRP
To get going, Progent adhered to Anti-virus event response industry best practices by isolating and cleaning systems of viruses. Progent then initiated the work of restoring Microsoft Active Directory, the core of enterprise systems built on Microsoft Windows technology. Exchange email will not function without AD, and the businessesí accounting and MRP applications used SQL Server, which requires Active Directory services for security authorization to the information.

Within two days, Progent was able to rebuild Active Directory services to its pre-penetration state. Progent then assisted with reinstallations and storage recovery of key servers. All Exchange Server data and attributes were intact, which greatly helped the rebuild of Exchange. Progent was also able to collect intact OST files (Outlook Offline Data Files) on user PCs to recover mail data. A not too old off-line backup of the businesses financials/MRP software made them able to return these essential services back on-line. Although significant work remained to recover totally from the Ryuk event, critical services were recovered rapidly:


"For the most part, the assembly line operation ran fairly normal throughout and we produced all customer shipments."

During the following few weeks important milestones in the restoration process were achieved through tight cooperation between Progent engineers and the client:

  • Internal web sites were returned to operation without losing any information.
  • The MailStore Server with over 4 million archived emails was restored to operations and available for users.
  • CRM/Product Ordering/Invoicing/Accounts Payable (AP)/Accounts Receivables/Inventory Control modules were completely recovered.
  • A new Palo Alto Networks 850 firewall was set up.
  • Most of the user desktops and notebooks were functioning as before the incident.

"So much of what went on during the initial response is nearly entirely a blur for me, but our team will not soon forget the countless hours each of the team accomplished to give us our company back. I have trusted Progent for at least 10 years, possibly more, and every time I needed help Progent has come through and delivered as promised. This situation was no exception but maybe more Herculean."

Conclusion
A possible business disaster was dodged through the efforts of hard-working experts, a wide range of technical expertise, and close teamwork. Although in hindsight the crypto-ransomware virus incident described here could have been disabled with modern cyber security systems and best practices, staff education, and well designed incident response procedures for data protection and proper patching controls, the reality is that state-sponsored hackers from Russia, North Korea and elsewhere are relentless and are not going away. If you do get hit by a ransomware virus, feel confident that Progent's roster of professionals has extensive experience in crypto-ransomware virus defense, remediation, and data restoration.


"So, to Darrin, Matt, Aaron, Claude, Jesse, Arnaud, Allen, Tony and Chris (along with others who were contributing), thanks very much for allowing me to get some sleep after we got through the initial push. All of you did an fabulous effort, and if any of your team is in the Chicago area, dinner is on me!"

To read or download a PDF version of this case study, please click:
Progent's Ryuk Recovery Case Study Datasheet. (PDF - 282 KB)

Additional Ransomware Protection Services Available from Progent
Progent offers businesses in Santa Monica a range of online monitoring and security assessment services to assist you to minimize the threat from crypto-ransomware. These services include modern artificial intelligence technology to detect zero-day variants of ransomware that can get past traditional signature-based security solutions.

  • ProSight Active Security Monitoring: Endpoint Protection and Ransomware Defense
    ProSight Active Security Monitoring is an endpoint protection (EPP) solution that incorporates next generation behavior analysis tools to defend physical and virtual endpoint devices against new malware attacks like ransomware and file-less exploits, which easily get by traditional signature-based anti-virus tools. ProSight ASM protects local and cloud-based resources and provides a single platform to automate the complete malware attack lifecycle including blocking, detection, mitigation, remediation, and post-attack forensics. Top capabilities include single-click rollback using Windows Volume Shadow Copy Service (VSS) and automatic system-wide immunization against new attacks. Learn more about Progent's ProSight Active Security Monitoring (ASM) next-generation endpoint protection and ransomware recovery.

  • ProSight Enhanced Security Protection: Physical and Virtual Endpoint Protection and Microsoft Exchange Email Filtering
    ProSight Enhanced Security Protection (ESP) services deliver ultra-affordable multi-layer security for physical servers and virtual machines, workstations, smartphones, and Exchange email. ProSight ESP utilizes adaptive security and advanced heuristics for continuously monitoring and responding to cyber threats from all attack vectors. ProSight ESP offers firewall protection, intrusion alarms, endpoint management, and web filtering through cutting-edge technologies packaged within one agent accessible from a single control. Progent's data protection and virtualization experts can assist your business to design and implement a ProSight ESP deployment that addresses your company's specific requirements and that helps you achieve and demonstrate compliance with legal and industry information protection regulations. Progent will assist you define and implement security policies that ProSight ESP will manage, and Progent will monitor your network and respond to alarms that require immediate action. Progent's consultants can also assist you to set up and test a backup and disaster recovery system like ProSight Data Protection Services (DPS) so you can recover rapidly from a destructive security attack such as ransomware. Find out more about Progent's ProSight Enhanced Security Protection (ESP) unified endpoint protection and Microsoft Exchange email filtering.

  • ProSight Data Protection Services: Managed Backup and Disaster Recovery
    ProSight Data Protection Services from Progent provide small and mid-sized organizations an affordable and fully managed solution for secure backup/disaster recovery. For a fixed monthly cost, ProSight Data Protection Services automates your backup processes and enables rapid restoration of critical files, apps and VMs that have become lost or corrupted as a result of component breakdowns, software glitches, natural disasters, human error, or malware attacks like ransomware. ProSight DPS can help you back up, recover and restore files, folders, apps, system images, plus Microsoft Hyper-V and VMware images/. Important data can be protected on the cloud, to an on-promises device, or mirrored to both. Progent's backup and recovery specialists can provide world-class expertise to configure ProSight DPS to be compliant with government and industry regulatory standards like HIPAA, FIRPA, and PCI and, whenever necessary, can help you to recover your business-critical information. Learn more about ProSight DPS Managed Cloud Backup and Recovery.

  • ProSight Email Guard: Inbound and Outbound Spam Filtering and Data Leakage Protection
    ProSight Email Guard is Progent's spam and virus filtering service that uses the infrastructure of leading data security vendors to deliver centralized control and comprehensive protection for all your email traffic. The hybrid structure of Email Guard combines cloud-based filtering with a local security gateway appliance to provide advanced defense against spam, viruses, Dos Attacks, DHAs, and other email-based malware. The cloud filter serves as a preliminary barricade and keeps most unwanted email from making it to your network firewall. This reduces your vulnerability to external attacks and conserves network bandwidth and storage. Email Guard's on-premises security gateway device adds a deeper level of analysis for inbound email. For outgoing email, the onsite security gateway offers AV and anti-spam filtering, policy-based Data Loss Prevention, and email encryption. The on-premises gateway can also help Microsoft Exchange Server to monitor and protect internal email traffic that originates and ends within your security perimeter. For more details, visit Email Guard spam and content filtering.

  • ProSight WAN Watch: Network Infrastructure Management
    ProSight WAN Watch is an infrastructure monitoring and management service that makes it easy and affordable for smaller organizations to diagram, monitor, enhance and troubleshoot their connectivity hardware such as switches, firewalls, and wireless controllers plus servers, client computers and other devices. Using cutting-edge RMM technology, ProSight WAN Watch ensures that network maps are kept updated, captures and manages the configuration information of virtually all devices on your network, monitors performance, and sends notices when potential issues are detected. By automating complex management processes, ProSight WAN Watch can cut hours off common chores such as network mapping, expanding your network, finding appliances that require important updates, or isolating performance issues. Learn more about ProSight WAN Watch infrastructure management services.

  • ProSight LAN Watch: Server and Desktop Remote Monitoring
    ProSight LAN Watch is Progentís server and desktop remote monitoring service that uses advanced remote monitoring and management technology to keep your network running at peak levels by tracking the health of critical computers that drive your information system. When ProSight LAN Watch uncovers an issue, an alarm is transmitted immediately to your designated IT management staff and your assigned Progent consultant so all looming problems can be addressed before they have a chance to disrupt your network. Learn more about ProSight LAN Watch server and desktop monitoring services.

  • ProSight Virtual Hosting: Hosted VMs at Progent's World-class Data Center
    With Progent's ProSight Virtual Hosting service, a small organization can have its critical servers and apps hosted in a secure Tier III data center on a fast virtual machine host set up and maintained by Progent's IT support professionals. Under the ProSight Virtual Hosting model, the client retains ownership of the data, the OS platforms, and the apps. Since the system is virtualized, it can be moved immediately to an alternate hosting solution without a lengthy and difficult configuration procedure. With ProSight Virtual Hosting, you are not locked into one hosting service. Find out more about ProSight Virtual Hosting services.

  • ProSight IT Asset Management: Network Documentation Management
    Progent's ProSight IT Asset Management service is an IT infrastructure documentation management service that allows you to capture, update, retrieve and protect data related to your network infrastructure, processes, applications, and services. You can quickly locate passwords or serial numbers and be warned about upcoming expirations of SSL certificates ,domains or warranties. By updating and managing your network documentation, you can eliminate up to half of time wasted searching for critical information about your IT network. ProSight IT Asset Management includes a centralized repository for storing and collaborating on all documents required for managing your network infrastructure like standard operating procedures (SOPs) and self-service instructions. ProSight IT Asset Management also offers advanced automation for collecting and relating IT information. Whether youíre planning enhancements, performing regular maintenance, or responding to an emergency, ProSight IT Asset Management gets you the information you need the instant you need it. Find out more about Progent's ProSight IT Asset Management service.
For 24/7/365 Santa Monica Ransomware Removal Consulting, contact Progent at 800-993-9400 or go to Contact Progent.